WIXLIB

U.S. Department of Health and Human ServicesOffice for Civil RightsHIPAA Administrative SimplificationRegulation Text45 CFR Parts 160, 162, and 164(Unofficial Version, as amended through March 26, 2013)

HIPAA Administrative Simplification Regulation TextMarch 2013HIPAA Administrative SimplificationTable of ContentsSectionPagePART 160—GENERAL ADMINISTRATIVE REQUIREMENTS.10SUBPART A—GENERAL PROVISIONS . 10§ 160.101 Statutory basis and purpose. . 10§ 160.102 Applicability. . 11§ 160.103 Definitions. 11§ 160.104 Modifications. . 17§ 160.105 Compliance dates for implementation of new or modified standards and implementationspecifications. . 17SUBPART B—PREEMPTION OF STATE LAW . 17§ 160.201 Statutory basis. . 17§ 160.202 Definitions. 18§ 160.203 General rule and exceptions. . 18§ 160.204 Process for requesting exception determinations. . 19§ 160.205 Duration of effectiveness of exception determinations. . 19SUBPART C—COMPLIANCE AND INVESTIGATIONS. 19§ 160.300 Applicability. . 19§ 160.302 [Reserved] . 20§ 160.304 Principles for achieving compliance. . 20§ 160.306 Complaints to the Secretary. 20§ 160.308 Compliance reviews. . 20§ 160.310 Responsibilities of covered entities and business associates. . 202

HIPAA Administrative Simplification Regulation TextMarch 2013§ 160.312 Secretarial action regarding complaints and compliance reviews. . 21§ 160.314 Investigational subpoenas and inquiries. . 21§ 160.316 Refraining from intimidation or retaliation. . 23SUBPART D—IMPOSITION OF CIVIL MONEY PENALTIES . 23§ 160.400 Applicability. . 23§ 160.401 Definitions. 23§ 160.402 Basis for a civil money penalty. . 23§ 160.404 Amount of a civil money penalty. . 24§ 160.406 Violations of an identical requirement or prohibition. . 24§ 160.408 Factors considered in determining the amount of a civil money penalty. . 25§ 160.410 Affirmative defenses. . 25§ 160.412 Waiver. 26§ 160.414 Limitations. . 26§ 160.416 Authority to settle. . 26§ 160.418 Penalty not exclusive. . 26§ 160.420 Notice of proposed determination. . 26§ 160.422 Failure to request a hearing. . 26§ 160.424 Collection of penalty. . 27§ 160.426 Notification of the public and other agencies. . 27SUBPART E—PROCEDURES FOR HEARINGS . 27§ 160.500 Applicability. . 27§ 160.502 Definitions. 27§ 160.504 Hearing before an ALJ. . 27§ 160.506 Rights of the parties. . 28§ 160.508 Authority of the ALJ. . 28§ 160.510 Ex parte contacts. 29§ 160.512 Prehearing conferences. . 29§ 160.514 Authority to settle. . 293

HIPAA Administrative Simplification Regulation TextMarch 2013§ 160.516 Discovery. . 29§ 160.518 Exchange of witness lists, witness statements, and exhibits. . 30§ 160.520 Subpoenas for attendance at hearing. . 30§ 160.522 Fees. 31§ 160.524 Form, filing, and service of papers. . 31§ 160.526 Computation of time. . 31§ 160.528 Motions. . 31§ 160.530 Sanctions. . 32§ 160.532 Collateral estoppel. . 32§ 160.534 The hearing. . 32§ 160.536 Statistical sampling. . 33§ 160.538 Witnesses. . 33§ 160.540 Evidence. . 33§ 160.542 The record. . 34§ 160.544 Post hearing briefs. . 34§ 160.546 ALJ's decision. . 34§ 160.548 Appeal of the ALJ's decision. . 34§ 160.550 Stay of the Secretary's decision. . 35PART 162—ADMINISTRATIVE REQUIREMENTS .37SUBPART A—GENERAL PROVISIONS . 38§ 162.100 Applicability. . 38§ 162.103 Definitions. 38SUBPARTS B-C [RESERVED] . 39SUBPART D—STANDARD UNIQUE HEALTH IDENTIFIER FOR HEALTH CAREPROVIDERS . 39§ 162.402 [Reserved] . 394

HIPAA Administrative Simplification Regulation TextMarch 2013§ 162.404 Compliance dates of the implementation of the standard unique health identifier forhealth care providers. . 39§ 162.406 Standard unique health identifier for health care providers. . 39§ 162.408 National Provider System. . 39§ 162.410 Implementation specifications: Health care providers. . 40§ 162.412 Implementation specifications: Health plans. . 40§ 162.414 Implementation specifications: Health care clearinghouses. . 40SUBPART E—STANDARD UNIQUE HEALTH IDENTIFIER FOR HEALTH PLANS 40§ 162.502 [Reserved] . 40§ 162.504 Compliance requirements for the implementation of the standard unique health planidentifier. . 40§ 162.506 Standard unique health plan identifier. . 41§ 162.508 Enumeration System. 41§ 162.510 Full implementation requirements: Covered entities. . 41§ 162.512 Implementation specifications: Health plans. . 41§ 162.514 Other entity identifier. . 42SUBPART F—STANDARD UNIQUE EMPLOYER IDENTIFIER . 42§ 162.600 Compliance dates of the implementation of the standard unique employer identifier. . 42§ 162.605 Standard unique employer identifier. . 42§ 162.610 Implementation specifications for covered entities. . 42SUBPARTS G-H [RESERVED] . 42SUBPART I—GENERAL PROVISIONS FOR TRANSACTIONS . 42§ 162.900 [Reserved] . 42§ 162.910 Maintenance of standards and adoption of modifications and new standards. . 42§ 162.915 Trading partner agreements. . 43§ 162.920 Availability of implementation specifications and operating rules. . 43§ 162.923 Requirements for covered entities. . 46§ 162.925 Additional requirements for health plans. . 475

HIPAA Administrative Simplification Regulation TextMarch 2013§ 162.930 Additional rules for health care clearinghouses. . 47§ 162.940 Exceptions from standards to permit testing of proposed modifications. . 48SUBPART J—CODE SETS. 49§ 162.1000 General requirements. . 49§ 162.1002 Medical data code sets. . 49§ 162.1011 Valid code sets. . 50SUBPART K—HEALTH CARE CLAIMS OR EQUIVALENT ENCOUNTERINFORMATION . 50§ 162.1101 Health care claims or equivalent encounter information transaction. . 50§ 162.1102 Standards for health care claims or equivalent encounter information transaction. . 50SUBPART L—ELIGIBILITY FOR A HEALTH PLAN . 52§ 162.1201 Eligibility for a health plan transaction. . 52§ 162.1202 Standards for eligibility for a health plan transaction. . 52§ 162.1203 Operating rules for eligibility for a health plan transaction. . 52SUBPART M—REFERRAL CERTIFICATION AND AUTHORIZATION . 53§ 162.1301 Referral certification and authorization transaction. . 53§ 162.1302 Standards for referral certification and authorization transaction. . 53SUBPART N—HEALTH CARE CLAIM STATUS . 54§ 162.1401 Health care claim status transaction. . 54§ 162.1402 Standards for health care claim status transaction. . 54§ 162.1403 Operating rules for health care claim status transaction. . 54SUBPART O—ENROLLMENT AND DISENROLLMENT IN A HEALTH PLAN . 54§ 162.1501 Enrollment and disenrollment in a health plan transaction. . 54§ 162.1502 Standards for enrollment and disenrollment in a health plan transaction. . 54SUBPART P—HEALTH CARE ELECTRONIC FUNDS TRANSFERS (EFT) ANDREMITTANCE ADVICE . 55§ 162.1601 Health care electronic funds transfers (EFT) and remittance advice transaction. . 556

HIPAA Administrative Simplification Regulation TextMarch 2013§ 162.1602 Standards for health care electronic funds transfers (EFT) and remittance advicetransaction. . 55§ 162.1603 Operating rules for health care electronic funds transfers (EFT) and remittance advicetransaction. . 56SUBPART Q—HEALTH PLAN PREMIUM PAYMENTS . 56§ 162.1701 Health plan premium payments transaction. . 56§ 162.1702 Standards for health plan premium payments transaction. . 56SUBPART R—COORDINATION OF BENEFITS . 57§ 162.1801 Coordination of benefits transaction. . 57§ 162.1802 Standards for coordination of benefits information transaction. . 57SUBPART S—MEDICAID PHARMACY SUBROGATION . 58§ 162.1901 Medicaid pharmacy subrogation transaction. . 58§ 162.1902 Standard for Medicaid pharmacy subrogation transaction. . 58PART 164—SECURITY AND PRIVACY .59SUBPART A—GENERAL PROVISIONS . 59§ 164.102 Statutory basis. . 59§ 164.103 Definitions. 59§ 164.104 Applicability. . 60§ 164.105 Organizational requirements. . 60§ 164.106 Relationship to other parts. 62SUBPART B [RESERVED] . 62SUBPART C—SECURITY STANDARDS FOR THE PROTECTION OF ELECTRONICPROTECTED HEALTH INFORMATION . 62§ 164.302 Applicability. . 62§ 164.304 Definitions. 62§ 164.306 Security standards: General rules. . 63§ 164.308 Administrative safeguards. . 647

HIPAA Administrative Simplification Regulation TextMarch 2013§ 164.310 Physical safeguards. . 66§ 164.312 Technical safeguards. . 66§ 164.314 Organizational requirements. . 67§ 164.316 Policies and procedures and documentation requirements. . 68§ 164.318 Compliance dates for the initial implementation of the security standards. . 68SUBPART D—NOTIFICATION IN THE CASE OF BREACH OF UNSECUREDPROTECTED HEALTH INFORMATION . 71§ 164.400 Applicability. . 71§ 164.402 Definitions. 71§ 164.404 Notification to individuals. . 71§ 164.406 Notification to the media. . 72§ 164.408 Notification to the Secretary. . 72§ 164.410 Notification by a business associate. . 73§ 164.412 Law enforcement delay. . 73§ 164.414 Administrative requirements and burden of proof. 73SUBPART E—PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTHINFORMATION . 73§ 164.500 Applicability. . 73§ 164.501 Definitions. 74§ 164.502 Uses and disclosures of protected health information: General rules. . 77§ 164.504 Uses and disclosures: Organizational requirements. . 81§ 164.506 Uses and disclosures to carry out treatment, payment, or health careoperations. . 84§ 164.508 Uses and disclosures for which an authorization is required. . 85§ 164.510 Uses and disclosures requiring an opportunity for the individual to agree or to object. 87§ 164.512 Uses and disclosures for which an authorization or opportunity to agree or object isnot required. . 88§ 164.514 Other requirements relating to uses and disclosures of protected health information. . 96§ 164.520 Notice of privacy practices for protected health information. . 101§ 164.522 Rights to request privacy protection for protected health information. . 1048

HIPAA Administrative Simplification Regulation TextMarch 2013§ 164.524 Access of individuals to protected health information. . 105§ 164.526 Amendment of protected health information. . 108§ 164.528 Accounting of disclosures of protected health information. . 110§ 164.530 Administrative requirements. . 111§ 164.532 Transition provisions. . 114§ 164.534 Compliance dates for initial implementation of the privacy standards. . 1159